Ivanti Endpoint Manager
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Ivanti Endpoint Manager.
By the Year
In 2025 there have been 24 vulnerabilities in Ivanti Endpoint Manager with an average score of 7.2 out of ten. Last year, in 2024 Endpoint Manager had 47 security vulnerabilities published. Right now, Endpoint Manager is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.65
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 24 | 7.16 |
| 2024 | 47 | 7.81 |
| 2023 | 6 | 8.32 |
| 2022 | 3 | 8.10 |
| 2021 | 0 | 0.00 |
| 2020 | 6 | 7.50 |
| 2019 | 1 | 9.80 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Endpoint Manager vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Ivanti Endpoint Manager Security Vulnerabilities
SQL injection in Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1
CVE-2025-7037
- July 08, 2025
SQL injection in Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a remote authenticated attacker with admin privileges to read arbitrary data from the database
SQL Injection
Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1
CVE-2025-6996
- July 08, 2025
Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users passwords.
Storing Passwords in a Recoverable Format
Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1
CVE-2025-6995
- July 08, 2025
Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users passwords.
Storing Passwords in a Recoverable Format
DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7
CVE-2025-22458
7.8 - High
- April 08, 2025
DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an authenticated attacker to escalate to System.
DLL preloading
Improper certificate validation in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7
CVE-2025-22459
4.8 - Medium
- April 08, 2025
Improper certificate validation in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to intercept limited traffic between clients and servers.
Improper Certificate Validation
SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7
CVE-2025-22461
7.2 - High
- April 08, 2025
SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution.
SQL Injection
An untrusted pointer dereference vulnerability in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7
CVE-2025-22464
6.1 - Medium
- April 08, 2025
An untrusted pointer dereference vulnerability in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an attacker with local access to write arbitrary data into memory causing a denial-of-service condition.
Untrusted Pointer Dereference
Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7
CVE-2025-22465
6.1 - Medium
- April 08, 2025
Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. Unlikely user interaction is required.
XSS
Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7
CVE-2025-22466
9.6 - Critical
- April 08, 2025
Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.
XSS
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-13170
- January 14, 2025
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
Memory Corruption
Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-13171
- January 14, 2025
Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.
Unrestricted File Upload
Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-13172
- January 14, 2025
Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.
Improper Verification of Cryptographic Signature
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-13168
- January 14, 2025
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
Memory Corruption
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-13167
- January 14, 2025
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
Memory Corruption
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-13166
- January 14, 2025
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
Memory Corruption
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-13160
7.5 - High
- January 14, 2025
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Absolute Path Traversal
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-13161
7.5 - High
- January 14, 2025
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Absolute Path Traversal
An out-of-bounds read in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-13169
- January 14, 2025
An out-of-bounds read in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges.
Out-of-bounds Read
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-13159
7.5 - High
- January 14, 2025
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Absolute Path Traversal
SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-13162
- January 14, 2025
SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. This CVE addresses incomplete fixes from CVE-2024-32848.
SQL Injection
Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-13163
- January 14, 2025
Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.
Marshaling, Unmarshaling
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-13165
- January 14, 2025
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
Memory Corruption
An uninitialized resource in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-13164
- January 14, 2025
An uninitialized resource in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges.
Use of Uninitialized Resource
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-10811
7.5 - High
- January 14, 2025
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Directory traversal
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-34782
7.2 - High
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update
CVE-2024-32839
7.2 - High
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update
CVE-2024-32841
7.2 - High
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update
CVE-2024-32844
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update
CVE-2024-32847
7.2 - High
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-37376
7.2 - High
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Endpoint Manager Path Traversal Vulnerability
CVE-2024-34787
7.8 - High
- November 13, 2024
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-34784
7.2 - High
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-34781
7.2 - High
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-34780
7.2 - High
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-50327
7.2 - High
- November 12, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-50328
7.2 - High
- November 12, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
Ivanti Endpoint Manager Path Traversal Vulnerability
CVE-2024-50329
8.8 - High
- November 12, 2024
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
Directory traversal
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-50326
7.2 - High
- November 12, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
Ivanti Endpoint Manager: Path Traversal Vulnerability in File Upload Component
CVE-2024-50324
7.2 - High
- November 12, 2024
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Directory traversal
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-50323
7.8 - High
- November 12, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
SQL Injection
Ivanti Endpoint Manager Path Traversal Vulnerability
CVE-2024-50322
7.8 - High
- November 12, 2024
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
Directory traversal
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-50330
9.8 - Critical
- November 12, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution.
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-34785
7.2 - High
- September 12, 2024
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-34779
7.2 - High
- September 12, 2024
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-34783
7.2 - High
- September 12, 2024
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-29847
9.8 - Critical
- September 12, 2024
Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.
Marshaling, Unmarshaling
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-32840
7.2 - High
- September 12, 2024
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-32842
7.2 - High
- September 12, 2024
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-32843
7.2 - High
- September 12, 2024
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-32845
7.2 - High
- September 12, 2024
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Ivanti Endpoint Manager or by Ivanti? Click the Watch button to subscribe.
